In accordance with the Weill Cornell Medical College (WCMC) Data Classification Policy, all information systems that create, receive, store, or transmit data classified as 'Confidential' must adhere to the physical security principles of this document.
Entities Affected By This Policy
The Weill Cornell Medical College and Graduate School of Medical Sciences
- Responsible Executives: WCMC Chief Information Officer
- Responsible Department: Information Technologies and Services
- Dates: Issued: Interim, October 1st, 2007. Final Issuance: January 31st, 2008
- Contact: Information Technologies and Services
Reason for Policy
State and federal regulations, as well as general best practices, shape the security and privacy protections that must be afforded to data classified as "Confidential". This policy addresses regulatory and best practice requirements to protect physical data security.
Information systems or applications that create, receive, store, or transmit Confidential data (hereafter "Confidential Systems" - see Data Classification policy) must, without exclusion, adhere to the following:
Facility Security Controls
- Managers and administrators of Confidential systems are responsible for creating documented policies and procedures that ensure facilities containing these Confidential systems are safeguarded from unauthorized physical access. Each facility covered under these policies and procedures must have, at minimum, the following controls:
- Procedures to control and validate a person's access to facilities. These procedures should be based on role or function, and follow the minimum necessary standard by which users are given the minimum amount of access necessary to perform their job functions.
- Regular review (at a minimum interval of 6 months) of authorization for facility access of workforce members and vendors, which ensures that facility access is limited to only those with a business need for physical access to the facility.
- Logging of vendor access. All physical access to facilities by vendors must be logged (i.e. through sign-in sheets) for entry time, exit time, purpose, and workforce member who allowed (enabled) the facility entry. Vendors should always be escorted by workforce members when in a facility covered by this policy.
- Procedures for providing facility access in support of a restoration of data in the event of an emergency or disaster.
- Procedures that ensure emergency physical access, in the event of an emergency or disaster or otherwise, when a custodian of the physical site is unavailable.
Access and Authorization
- Facilities containing Confidential systems must be located in access-controlled areas. Physical access controls must be logged and audited at least ever six months, and must include 1 or more of the following: multi-factor authentication (e.g. token and pin number), key-card access, biometric access controls.
- Any network wiring closets or other concentrated groups of IT resources classified as "Confidential" must be secured from unauthorized access. Appropriate physical controls include door keys (where distribution is restricted, controlled, and reviewed at least once per year), or one or more of the controls listed in the paragraph above.
- Environmental controls should be in place for any facility covered under this policy. Reasonable attempts must be made to implement protections against power outages, fire, water damage, temperature extremes, and other environmental hazards.
Workstation Physical Security
- Please reference the Integrity Policy for workstation physical security requirements.
Device and Media Controls
- Managers and administrators of each facility covered under this policy are responsible for creating and documenting procedures for device and media security controls that encompass the following:
- The creation of an inventory of hardware and electronic media residing in the facility.
- Records documenting the movement of hardware and electronic media in and out of the facility.
- Maintenance records, including documentation of repairs and modifications to the security-related physical facility components. Security-related physical components include doors, locks, walls, access cards, etc.
Backup, Recovery, and Disposal
- Systems administrators and managers of Confidential systems must have documented procedures to create an retrievable, exact copy of Confidential data and must test data and system recovery on a predefined, regular basis; at least once per year. Requirements for backup of Confidential data and systems include by are not limited to:
- Confidential data and systems must be backed up (at least weekly) on a predefined, regular basis, using durable media and documented handling procedures that should include provisions for keeping a backup or a copy of a backup in off-site storage.
- Backup media must be protected from theft, environmental and physical threats, and unauthorized access.
- Reasonable efforts must be made to encrypt backup media that stores Confidential data and is external to the backup system.
- Backup systems used to create backups of Confidential data and/or systems must be capable of providing an inventory of the systems backed up, including a record of backups residing on each individual piece of media (e.g. backup tapes). The availability and accuracy of this inventory must be tested at least yearly.
- Managers and administrators of Confidential systems or data must have documented procedures for restoring those Confidential systems or data.
- Confidential data and systems must be disposed of in such a way as to ensure that data cannot be retrieved or recovered. When donating, selling, or otherwise planning to reuse information technology resources or media, users must ensure that Confidential data is rendered unreadable or unrecoverable. Acceptable methods for doing this include: complete destruction, degaussing, or using other standard Department of Defense approved techniques for wiping media. It is insufficient to simply delete information or reformat media, as that information is easily recovered.